advertisement
FortiGate-400 Installation and Configuration Guide Version 2.50 MR2
Web filtering
Web filtering is enabled in firewall policies. When you enable Anti-Virus & Web filter in a firewall policy, you select a content profile that controls how web filtering behaves for
HTTP traffic. Content profiles control the following types of content filtering:
• blocking unwanted URLs,
• blocking unwanted content,
• removing scripts from web pages,
• exempting of URLs from blocking.
You can also use the Cerberian URL blocking to block unwanted URLs. For more information, see
“Using the Cerberian web filter” on page 272
.
This chapter describes:
•
•
•
•
Using the Cerberian web filter
•
•
General configuration steps
1
2
3
Configuring web filtering involves the following general steps:
Select the Anti-Virus & Web filter option in firewall policies that allow HTTP connections through the FortiGate unit.
• Select a content profile that provides the web filtering options that you want to
apply to a policy. See “Adding a content profile to a policy” on page 199 .
Configure web filtering settings to control how the FortiGate unit applies web filtering to the HTTP traffic allowed by policies. See:
•
•
“Using the Cerberian web filter” on page 272 ,
•
“Content blocking” on page 268 ,
•
“Script filtering” on page 274 ,
•
“Exempt URL list” on page 275 .
FortiGate-400 Installation and Configuration Guide
267
Content blocking Web filtering
4
5
Configure the messages that users receive when the FortiGate unit blocks unwanted
content or unwanted URLs. See “Customizing replacement messages” on page 164
.
Configure the FortiGate unit to send an alert email when it blocks or deletes an infected file. See “Configuring alert email” in the Logging Configuration and Reference
Guide.
Note: To receive web filtering log messages, see “Configuring logging”, and for information about log message content and format, see “Web filtering log messages” in the Logging
Configuration and Reference Guide.
Content blocking
When the FortiGate unit blocks a web page, the user who requested the blocked page receives a block message and the FortiGate unit writes a message to the web filtering log.
You can add banned words to the list in many languages using Western, Simplified
Chinese, Traditional Chinese, Japanese, or Korean character sets.
Adding words and phrases to the banned word list
1
2
3
4
5
6
Go to Web Filter > Content Block.
Select New to add a word or phrase to the banned word list.
Choose a language or character set for the banned word or phrase.
You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or
Korean.
Your computer and web browser must be configured to enter characters in the character set that you choose.
Type a banned word or phrase.
If you type a single word (for example, banned
), the FortiGate unit blocks all web pages that contain that word.
If you type a phrase (for example, banned phrase
), the FortiGate unit blocks web pages that contain both words. When this phrase appears on the banned word list, the
FortiGate unit inserts plus signs (+) in place of spaces (for example, banned+phrase
).
If you type a phrase in quotes (for example,
“banned word”
), the FortiGate unit blocks all web pages in which the words are found together as a phrase.
Content filtering is not case-sensitive. You cannot include special characters in banned words.
Select OK.
The word or phrase is added to the banned word list.
In the Modify column, check the box beside the new item in the banned word list so that the FortiGate unit blocks web pages containing this word or phrase.
You can enter multiple banned words or phrases and then select Check All activate all items in the banned word list.
to
Note: Banned Word must be selected in the content profile for web pages containing banned words to be blocked.
268
Fortinet Inc.
Web filtering
Figure 38: Example banned word list
URL blocking
URL blocking
You can block the unwanted web URLs using both the FortiGate web filter and the
Cerberian web filter.
•
Using the FortiGate web filter
•
Using the Cerberian web filter
Using the FortiGate web filter
You can configure the FortiGate unit to block all pages on a website by adding the toplevel URL or IP address. You can also block individual pages on a website by including the full path and filename of the web page to block.
This section describes:
•
Adding URLs or URL patterns to the block list
•
•
Downloading the URL block list
•
1
2
Adding URLs or URL patterns to the block list
Go to Web Filter > URL Block.
Select New to add an item to the URL block list.
FortiGate-400 Installation and Configuration Guide
269
URL blocking Web filtering
3
4
5
6
Type the URL/Pattern to block.
Type a top-level URL or IP address to block access to all pages on a website. For example, www.badsite.com
or
122.133.144.155
blocks access to all pages at this website.
Type a top-level URL followed by the path and filename to block access to a single page on a website. For example, www.badsite.com/news.html
or
122.133.144.155/news.html
blocks the news page on this website.
To block all pages with a URL that ends with badsite.com
, add badsite.com
to the block list. For example, adding badsite.com
blocks access to www.badsite.com
, mail.badsite.com
, www.finance.badsite.com
, and so on.
Note: Do not include http://
in the URL to block. Do not use an asterisk (*) to represent any characters. You can type a top-level domain suffix (for example, “com” without the leading period) to block access to all URLs with this suffix.
Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com
.
Instead, you can use firewall policies to deny FTP connections.
Select Enable to block the URL/Pattern.
Select OK to add the URL/Pattern to the URL block list.
You can enter multiple URLs and patterns and then select Check All items in the URL block list.
Each page of the URL block list displays 100 URLs.
to enable all
Use Page Up and Page Down to navigate through the URL block list.
Note: You must select the Web URL Block option in the content profile to enable the URL blocking.
Figure 39: Example URL block list
270
1
2
Clearing the URL block list
Go to Web Filter > URL Block.
Select Clear URL Block List list.
to remove all URLs and patterns from the URL block
Fortinet Inc.
Web filtering URL blocking
3
4
1
2
5
6
7
8
1
2
Downloading the URL block list
You can back up the URL block list by downloading it to a text file on the management computer.
Go to Web Filter > URL Block.
Select Download URL Block List .
The FortiGate unit downloads the list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Uploading a URL block list
You can create a URL block list in a text editor and then upload the text file to the
FortiGate unit. Add one URL or pattern to each line of the text file. You can follow the item with a space and then a 1 to enable or a zero (0) to disable the URL. If you do not add this information to the text file, the FortiGate unit automatically enables all URLs and patterns that are followed with a 1 or no number when you upload the text file.
Figure 40: Example URL block list text file www.badsite.com/index 1 www.badsite.com/products 1
182.63.44.67/index 1
You can either create the URL block list yourself or add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard blacklists available at http://www.squidguard.org/blacklist/ as a starting point for creating your own URL block list. Three times per week, the squidGuard robot searches the web for new URLs to add to the blacklists. You can upload the squidGuard blacklists to the FortiGate unit as a text file, with only minimal editing to remove comments at the top of each list and to combine the lists that you want into a single file.
Note: All changes made to the URL block list using the web-based manager are lost when you upload a new list. However, you can download your current URL block list, add more items to it using a text editor, and then upload the edited list to the FortiGate unit.
In a text editor, create the list of URLs and patterns to block.
Using the web-based manager, go to Web Filter > URL Block.
Select Upload URL Block List .
Type the path and filename of your URL block list text file, or select Browse and locate the file.
Select OK to upload the file to the FortiGate unit.
Select Return to display the updated URL block list.
Each page of the URL block list displays 100 URLs.
Use Page Down and Page Up to navigate through the URL block list.
You can continue to maintain the URL block list by making changes to the text file and uploading it again.
FortiGate-400 Installation and Configuration Guide
271
URL blocking Web filtering
Using the Cerberian web filter
The FortiGate unit supports Cerberian web filtering. For information about Cerberian web filter, see www.cerberian.com.
1
2
3
4
Note: If you are operating FortiGate units in active-passive HA mode, each FortiGate unit in the cluster must have its own Cerberian license. Cerberian web filtering is not supported for
active-active HA. For information about HA see, “High availability” on page 75
.
If you have purchased the Cerberian web filtering functionality with your FortiGate unit, use the following configuration procedures to configure FortiGate support for
Cerberian web filtering.
General configuration steps
To use the Cerberian web filter, you must:
Install a Cerberian web filter license key. See
“Installing a Cerberian license key on the
.
Add users that will be using the Cerberian web filter. See
“Adding a Cerberian user to the FortiGate unit” on page 272 .
Configure the Cerberian web filter. See
“Using the Cerberian web filter” on page 272
Enable Cerberian URL filtering. See
“Using the Cerberian web filter” on page 272
.
Note: To use Cerberian web filtering, the FortiGate unit must have access to the Internet.
1
2
3
4
1
Installing a Cerberian license key on the FortiGate unit
Before you can use the Cerberian web filter, you must install a license key. The license key determines the number of end users allowed to use Cerberian web filtering through the FortiGate unit.
Go to Web Filter > URL Block.
Select Cerberian URL Filtering.
Enter the license number.
Select Apply.
Adding a Cerberian user to the FortiGate unit
The Cerberian web policies can only be applied to user groups. You can add users on the FortiGate unit and then add the users to user groups on the Cerberian administration web site.
When the end user tries to access a URL, the FortiGate unit will check to see if the user’s IP address is in the IP address list on the FortiGate unit. If the user’s IP address is in the list, the request will be sent to the Cerberian server. Otherwise, an error message will be sent to the user saying that the user doesn’t have authorized access to the Cerberian web filter.
Go to Web Filter > URL Block.
272
Fortinet Inc.
Web filtering URL blocking
2
3
4
5
6
1
1
2
2
3
Select Cerberian URL Filtering.
Select New.
Enter the IP address and netmask of the user computers. You can enter the IP address of a single user. For example, 192.168.100.19 255.255.255.255. You can also enter a subnet of a group of users. For example, 192.168.100.0 255.255.255.0.
Enter an alias for the user. This alias will be used as the user name when you add the user to a user group on the Cerberian server. If you do not enter an alias, the user’s IP will used and added to the default group on the Cerberian server.
Select OK.
Configuring Cerberian web filter
After you add the Cerberian web filter users on the FortiGate unit, you can add the users to the user groups on the Cerberian web filter server. Then you can create policies and apply the policies to the user groups.
About the default group and policy
There is a default user group, which is associated with a default policy, existing on the
Cerberian web filter.
You can add users to the default group and apply any policies to the group.
The default group is a place for:
• All the users who are not assigned alias names on the FortiGate unit.
• All the users who are not assigned to any other user groups.
The Cerberian web filter groups the web pages into 53 categories. The default policy blocks the URLs of 12 categories. You can modify the default policy and apply it to any user groups.
To configure the Cerberian web filtering
Add the user name, which is the alias you added on the FortiGate unit, to a user group on the Cerberian server because the web policies can only be applied to the user groups. If you did not enter an alias for the user IP on the FortiGate unit, the user IP is automatically added to the default group.
Create your policies by selecting the web categories that you want to block.
Apply the policy to a user group which contains the user.
For detailed procedures, see the online help on the Cerberian Web Filter web page.
Enabling Cerberian URL filtering
After you add the Cerberian users/groups and configure the Cerberian web filter, you can enable Cerberian URL filtering. You must enable it in three places:
• The Cerberian URL Filtering page.
• The content profile.
• The policy that uses the content profile.
Go to Web Filter > URL Block.
Select Cerberian URL Filtering.
FortiGate-400 Installation and Configuration Guide
273
Script filtering Web filtering
8
9
6
7
10
3
4
5
Select the Cerberian URL Filtering option.
Go to Firewall > Content Profile.
Create a new or select an existing content profile and enable Web URL Block.
Go to Firewall > Policy.
Create a new or select an existing policy that will use the content profile.
Select Anti-Virus & Web filter.
Select the content profile from the Content Profile list.
Click OK.
Script filtering
You can configure the FortiGate unit to remove Java applets, cookies, and ActiveX scripts from the HTML web pages.
Note: Blocking of any of these items might prevent some web pages from working properly.
•
•
Selecting script filter options
Enabling the script filter
1
2
3
4
Go to Firewall > Content Profile.
Select the content profile for which you want to enable script filtering.
Select Script Filter.
Select OK.
Selecting script filter options
1
2
3
Go to Web Filter > Script Filter.
Select the script filter options that you want to enable.
You can block Java applets, cookies, and ActiveX.
Select Apply.
274
Fortinet Inc.
Web filtering
Figure 41: Example script filter settings to block Java applets and ActiveX
Exempt URL list
Exempt URL list
Add URLs to the exempt URL list to allow legitimate traffic that might otherwise be blocked by content or URL blocking. For example, if content blocking is set to block pornography-related words and a reputable website runs a story on pornography, web pages from the reputable website would be blocked. Adding the address of the reputable website to the exempt URL list allows the content of the website to bypass content blocking.
Note: Content downloaded from exempt web pages is not blocked or scanned by antivirus protection.
Adding URLs to the exempt URL list
1
2
3
Go to Web Filter > Exempt URL.
Select New to add an item to the exempt URL list.
Type the URL to exempt.
Type a complete URL, including path and filename, to exempt access to a page on a website. For example, www.goodsite.com/index.html
exempts access to the main page of this example website. You can also add IP addresses; for example,
122.63.44.67/index.html
exempts access to the main web page at this address. Do not include http://
in the URL to exempt.
Exempting a top-level URL, such as www.goodsite.com,
exempts all requested subpages (for example, www.goodsite.com
/ badpage
) from all content and URL filtering rules.
4
Note: Exempting a top-level URL does not exempt pages such as mail.goodsite.com
from all content and URL filtering rules unless goodsite.com
(without the www ) is added to the exempt URL list.
Select Enable to exempt the URL.
FortiGate-400 Installation and Configuration Guide
275
Exempt URL list Web filtering
5
6
Select OK to add the URL to the exempt URL list.
You can enter multiple URLs and then select Check All exempt URL list.
Each page of the exempt URL list displays 100 URLs.
to activate all items in the
Use Page Down and Page Up to navigate through the exempt URL list.
Figure 42: Example exempt URL list
276
Fortinet Inc.
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
